NFT anti-fraud guide: hackers can't be cheap anymore

Author: NFT Labs, Rhythm Research Institute

The world of Crypto is like a dark forest, and there may be countless crises lurking around you . Recently, some hackers took advantage of the upgrade of the OpenSea contract to send a phishing email to all users’ mailboxes, and many users mistakenly took it as an official email and authorized their wallets, which led to wallets being stolen. According to statistics, this email caused at least 3 BAYC, 37 Azuki, 25 NFT Worlds and other NFTs to be stolen. Based on the floor price, the hacker’s income has reached 4.16 million US dollars.

On the same night, the 1/1 Doodle held by Niq, a Tongji university student of "All in NFT" for a long time, was also stolen, because the other party asked Niq Negotiated the deal privately, sending Niq a link to a fake deal site after letting his guard down.

Nowadays, the hacker attacks we need to guard against not only exist at the technical level, but also come from social engineering. In addition, the prices of many NFT projects are rising. Be careful and you will lose huge amounts of money. In view of the frequent occurrence of fraud in the NFT field recently, Rhythm has summarized several types of common fraud methods, and hopes that readers should always be vigilant and not be deceived.

Fraud methods

1. Links to fraudulent websites through Discord private messages

Discord private message link is a common method of deception by hackers. Hackers often send private messages to members in different Discord communities in batches, or pretend to be community administrators to help solve the problem The problem is to defraud the private key of the wallet by privately trusting the user. Or send a fake phishing website, telling users that they can receive NFT for free, etc. Once the user authorizes the fake website copied by the hacker, it will bring huge losses to the user.

2. Attack Discord server

Discord server being hacked is something that almost every popular NFT project will experience. Publish fake announcements to trick community members into buying fake NFTs from fake websites built by hackers. Today's hackers will defraud the server administrator's token by sending fraudulent websites, etc., so even if the administrator turns on 2FA two-factor authentication, it will not help. And if the fraudulent website built by the hacker will require the authorization of the user's wallet, it will bring more serious property losses to the user.

3. Send fake transaction links

This type of deception is common in the NFT transaction process where scammers negotiate privately with users. Trading platforms such as Sudoswap and NFTtrader encourage users to "exchange" each other's NFT or tokens through private negotiations, and these platforms also provide security for privately negotiated transactions. This is a good thing for the NFT market, but Now some hackers have begun to defraud through fake Sudoswap and NFTtrader websites.

Sudoswap and NFTtrader require users to initiate a transaction after the negotiation is completed. This step will generate an order confirmation website. conduct. At the beginning, the scammer will pretend to negotiate with you which NFTs to exchange, and first show you a real website link, and then propose to modify the transaction. After the trader relaxes his vigilance, the scammer will send a fraudulent link. After the user clicks to confirm the transaction , the corresponding NFT in the wallet will be sent to the scammer's wallet.

4. Defrauding the mnemonic

Cheaters will use various means to induce users to send their private keys or mnemonic words to themselves, such as building fraudulent websites and pretending to be administrators to help users etc., all kinds of behaviors are to lower the user's vigilance and wait for an opportunity to defraud the private key and mnemonic.

5. Create a fake Collection and seek deals in the project’s Discord public channel

Fake NFT collections are the easiest to encounter before many popular items are released. Before the NFT blind box is officially launched, scammers will upload NFT collections with similar names on NFT trading platforms such as OpenSea in advance, and beautifully "decorate" this collection through the official information released in advance. When the real NFT collection is not online, users will first search for the collection with the closest name. Some scammers send Offer bids to fake NFTs that are currently pending orders in order to convince users that they will create several more transactions.

In order to save the royalties of the platform and the project side, private transactions will be conducted among community members, except for the imitation of Sudoswap and NFTtrader websites mentioned above In addition, there are also scammers who send fake NFT collection links slightly below the floor price on community channels. Users tend to be deceived by ignoring the authenticity of NFTs when rushing to buy NFTs below the floor price.

6. Fake email

Most NFT platforms will require users to bind emails so that users can know the transaction status of their NFTs at the first time, so emails have become a flood of fraud gathering place. Scammers usually pretend to be the official account of the OpenSea platform, and send phishing website links to users by means of contract address modification or wallet re-verification. Recently, after OpenSea announced the contract upgrade, hackers defrauded users of nearly $4 million in this way. As of the date of writing, the OpenSea team is still troubleshooting compromised users.

Anti-Scam Guide

1. URL screening

No matter what extravagant packaging the hacker uses, and how to make you confused, when he finally steals your encrypted assets, There will always be a way to interact with your wallet. Ordinary users may not have the ability to identify contract risks, but fortunately, we are still in an Internet world dominated by web2. Almost all encrypted contracts need a web2 front-end webpage to interact with users.

Therefore, almost the vast majority of encrypted asset theft for users (rather than project parties) occurs on counterfeit phishing websites. And once you know how to identify phishing websites, it will be enough to help you avoid 99% of encrypted asset theft.

For Generation Z who grew up with smartphones, they live in the "ecology" created by one App after another, and may have neglected the old thing of web pages. In the web2 era, the DNS domain name system gives each website a unique identity on the entire network. Knowing the basic rules of domain name composition will be enough to deal with almost all fake phishing websites.

In the traditional DNS domain name, the domain name hierarchy is divided into three levels. Reading from right to left starting with the first separator (/), each period separates a level. Take https://www.opensea.io/ as an example. ".io" is similar to ".com" and ".cn", which are called top-level domain names, and this field cannot be customized. "opensea" is called the second-level domain name, that is, the subject of the domain name, and this field cannot be repeated under the same top-level domain name (such as .io). The "www" part is a third-level domain name, and the website operator can set this field by himself. Even operators can continue to add fourth-level domain names and fifth-level domain names before "www".

The hierarchical order of domain names is counter-intuitive: ie descending from right to left. This design is exactly the opposite of most people's reading habits, and it also gives attackers an opportunity. For example, although the address https://www.opensea.io.example.com is highly similar to the opensea address, its actual domain name is "example.com" instead of "opensea.io".

Whether there will be phishing attacks on Web3 is still hard to predict. But in the Web2 world, the DNS domain name system ensures the uniqueness of domain names (or URLs), and it is almost impossible for users to open fake websites when the domain name is true.

2. Do not disclose the private key or mnemonic

Crypto wallets are not like Web2 e-mail and other accounts. The private key and mnemonic cannot be modified or retrieved. Once leaked, it means that the wallet will be owned at the same time For you and the hacker, all the assets in your wallet can be transferred by the hacker at any time, and due to the anonymity of the Ethereum address, you cannot find out who the hacker is, and the loss cannot be recovered, and this wallet cannot continue use.

3. Cancel wallet authorization in time

If you have authorized your wallet on a fraudulent website, you can go to the following three addresses to check the wallet authorization status and cancel it in time:

https://etherscan.io/tokenapprovalchecker

https://revoke.cash/

https://debank.com/

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia